b"December 2005\nReport No. 06-004\n\n\nProject Management Framework for the\nAsset Servicing Technology Enhancement\nProject\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                           Report No. 06-004\n                                                                                                             December 2005\n\n                                     Project Management Framework for the Asset Servicing\n                                     Technology Enhancement Project (ASTEP)\n                                     Results of Audit\n                                     The ASTEP project management team developed planning documents and\n                                     implemented various activities that generally complied with the FDIC\xe2\x80\x99s project\n                                     management guidance and that the project team considered commensurate with the\nBackground and Purpose of\n                                     status of the project. During the initiation phase of ASTEP, the project management\nAudit                                team performed business case analyses to identify benefits and improvements to the\nOne of the FDIC\xe2\x80\x99s critical           current system of asset servicing and developed a project work plan identifying\nfunctions is to manage and           activities to complete associated milestones. During the planning phase for system\nliquidate all assets of failed       development, the project team also developed project charters that defined the goals\nfinancial institutions. The          and objectives for various project teams\xe2\x80\x99 functions and a project governance\nCorporation\xe2\x80\x99s existing asset         structure that described support functions to manage system development activities.\nservicing environment comprises      Additionally, the project team developed acquisition strategy, communications, risk\na complex system of external,        management, and configuration management plans.\ninterim, and internal (in-house)\nservicing capabilities. The in-      As ASTEP enters into the execution phase for system development and is\nhouse technology consists of         re-baselined, the project team needs to further strengthen its planning documents and\naging and highly customized          management control processes to take into account the additional information\ncommercial off-the-shelf software    obtained during the earlier project phases and to be commensurate with the\nand internally developed             additional risk associated with latter project phases. Strengthening the project\napplications that fulfill specific   management controls will facilitate decision making and monitoring and help ensure\nbusiness functions. The purpose      that ASTEP meets the needs of its users within schedule and budget requirements.\nof the Asset Servicing\nTechnology Enhancement Project       Recommendation and Management Response\n(ASTEP) is to modernize the          KPMG recommended that as part of project re-baselining efforts, the FDIC:\nasset servicing function and align      \xe2\x80\xa2 fully document the costs and benefits of the ASTEP solution selected, and\nthe processes performed under           \xe2\x80\xa2 enhance the ASTEP planning process to address the areas of improvement\nthis function with industry best           discussed in the report to achieve greater compliance with the FDIC Project\npractices. ASTEP will allow the            Management Guide and to provide greater assurance of ASTEP success.\nFDIC to maximize the use of\ncommercially available software      Management agreed with the recommendations and has either initiated or plans to\nproducts to integrate as much of     initiate corrective actions.\nthe asset servicing function as\npossible and to provide the FDIC\nwith a variety of vendor sourcing                                                   Thought\noptions.                                                                          leader and\n                                                                                 visionary for\n                                                                                 the banking\nThe objective of the audit was to                                                 community\ndetermine whether the FDIC has\nestablished an adequate project\n                                                                                \xc2\x83 Be a seller\nmanagement control framework\n                                                                         \xc2\x83 Ability to scale to handle\nfor ensuring the delivery of                                              failure of a large institution\nASTEP in a timely and cost-\n                                                                      \xc2\x83 Move organization away from\neffective manner to meet                                                      functional silos\ncorporate requirements and user                                       \xc2\x83 Adopt industry best practices\nneeds. The report was prepared\nby KPMG LLP under a contract\nwith the Office of Inspector                              \xc2\x83 Single source of data        \xc2\x83 Common user interface/\n                                                                                           experience\nGeneral (OIG) to provide                                  \xc2\x83 Single reporting platform\nprofessional audit services.                                                             \xc2\x83 Automated workflows\n                                                          \xc2\x83 Adaptable integration\n                                                            Infrastructure               \xc2\x83 Enhanced data quality and\n                                                                                           timeliness\n\n                                                   Source: ASTEP Current State Assessment Report, December 7, 2004.\n\x0cFederal Deposit Insurance Corporation                                                                    Office of Audits\n801 17th Street NW, Washington, DC 20434                                                    Office of Inspector General\n\n\n\n\nDATE:                                  December 16, 2005\n\nMEMORANDUM TO:                         Mitchell L. Glassman\n                                       Director, Division of Resolutions and Receiverships\n\n\n\nFROM:                                  Russell A. Rau [Electronically produced version; original signed by Stephen M. Beard]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Project Management Framework for the Asset Servicing\n                                       Technology Enhancement Project\n                                       (Report No. 06-004)\n\nEnclosed is a copy of the subject report prepared by KPMG LLP under a contract with the Office\nof Inspector General. Please refer to the Executive Summary for the overall audit results. The\nfirm\xe2\x80\x99s report is presented as Part I of this document.\n\nA summary and evaluation of your response, the response in its entirety, and the status of the\nrecommendations are contained in Part II of this report. The response adequately addressed the\nrecommendations in the report. We consider the recommendations to be resolved, but they will\nremain open until we have determined that agreed-to-corrective actions have been completed and\nare effective.\n\nIf you have any questions concerning the report, please contact Stephen M. Beard, Deputy\nAssistant Inspector General for Audits, at (202) 416-4217, or Ben Hsiao, Associate Director,\nSystems Management and Systems Security Directorate, at (202) 416-2117. We appreciate the\ncourtesies extended to the audit staff.\n\nAttachment\n\n\ncc: Steven Trout, DRR\n    Rack Campbell, DIT\n\x0c                                  Table of Contents\n\n\n\nPart I:\n\n           Report by KPMG LLP\n           Project Management Framework for the Asset Servicing Technology Enhancement\n           Project                                                                    I-1\n\n\nPart II:\n           Corporation Comments and OIG Evaluation                                   II-1\n           Corporation Comments                                                      II-4\n\x0c      Part I\nReport by KPMG LLP\n\x0c         Project Management Framework for the\nAsset Servicing Technology Enhancement Project (ASTEP)\n\n\n                   Prepared for the\n         Federal Deposit Insurance Corporation\n              Office of Inspector General\n\n\n\n\n                              Prepared by:\n                               KPMG LLP\n                 Risk Advisory Services \xe2\x80\x93 Federal Practice\n                           2001 M Street, NW\n                         Washington, DC 20036\n                             (202) 533-3000\n\x0c                              TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY                                                           3\n\nResults of Audit                                                            4\nRecommendations                                                             5\n\nBACKGROUND                                                                  6\n\nDETAILED FINDINGS                                                           9\nFINDING 1: Cost-Benefit Analysis                                            9\nFINDING 2: Improvements in Project Planning                                11\n\nAPPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY                              16\n\nAPPENDIX B: FDIC PROJECT MANAGEMENT FRAMEWORK                              18\n\nAPPENDIX C: PMBOK\xc2\xae GUIDE OVERVIEW                                          20\n\nAPPENDIX D: ACRONYMS                                                       22\n\n\nTABLES\nTable 1: Summary of Findings                                                4\nTable 2: ASTEP CBA \xe2\x80\x93 Return on Investment Study                            10\nTable 3: Mapping of PMBOK\xc2\xae Guide Knowledge Areas to Management Processes   20\n\nFIGURES\nFigure 1: ASTEP Project Vision and Objectives                               6\nFigure 2: FDIC Project Management Life Cycle                               18\n\n\n\n\n                                         I-2\n\x0cEXECUTIVE SUMMARY\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted\nwith KPMG LLP (KPMG) to provide professional audit services. KPMG was tasked under the\ncontract to audit and report on the effectiveness of the project management framework for the\nFDIC\xe2\x80\x99s Asset Servicing Technology Enhancement Project (ASTEP).\n\nThe objective of the audit was to determine whether the FDIC has established an adequate\ncontrol framework for ensuring the delivery of ASTEP in a timely and cost-effective manner to\nmeet corporate requirements and user needs. The audit addressed key elements associated with\neffective project management such as documenting the project scope, tasks, schedules, allocation\nof resources, performance measurements, and inter-relationships with other projects. Project\nmanagement activities cover the full spectrum of a project; from procurement and contract\nmanagement to managing team and project performance; from risk management to\ncommunications; and from controlling scope \xe2\x80\x9ccreep\xe2\x80\x9d to ensuring quality control. A detailed\ndiscussion of the audit objective, scope, and methodology is provided in Appendix A of this\nreport.\n\nIn evaluating the effectiveness of project management practices for ASTEP, KPMG relied on the\nFDIC\xe2\x80\x99s Project Management Governance policy and the FDIC Project Management Guide; both\nwere issued in September 2004. The governance policy identifies key governance authorities1\nover projects and defines project management policy and oversight standards applicable to all\nprojects at the FDIC. The policy states that all projects shall conform to minimum standards and\nprocedures of an FDIC project management methodology as described in the FDIC Project\nManagement Guide.2 The governance policy also provides oversight, funding, training, and\nreporting requirements applicable to effective management of FDIC projects. The FDIC Project\nManagement Guide establishes a project management framework to provide project managers\nwith repeatable and sustainable guidelines to ensure projects are well coordinated, thoroughly\nplanned, properly executed, and closed out in accordance with managed and disciplined\nprocesses. The guide also includes templates and checklists that are intended to help project\nmanagers effectively and efficiently implement FDIC projects. The use of the techniques and\nforms in the guide is highly encouraged but is not mandatory. For further details on the project\nmanagement framework, see Appendix B.\n\nKPMG conducted its work from March 11, 2005 through July 29, 2005 in accordance with\ngenerally accepted government auditing standards.\n\n\n\n\n1\n  Governance authorities, such as the key decision makers, include the Capital Investment Review Committee\n(CIRC), Chief Information Officer (CIO) Council, and Division Executive Sponsors.\n2\n  The methodology described in the FDIC Project Management Guide is based on the Project Management\nInstitute\xe2\x80\x99s (PMI), Project Management Body of Knowledge (PMBOK\xc2\xae) Guide, which is recognized as a commercial\nand public sector \xe2\x80\x9cbest practice.\xe2\x80\x9d Appendix C of this report provides an overview of the guide\xe2\x80\x99s applicability to the\nFDIC.\n\n\n                                                         I-3\n\x0cResults of Audit\n\nThe ASTEP project management team developed planning documents and implemented various\nactivities that generally complied with the FDIC\xe2\x80\x99s project management guidance and that the\nproject team considered commensurate with the status of the project.\n\nAs ASTEP enters into the execution phase of system development (execution phase) and is re-\nbaselined, the project team needs to further strengthen its planning documents and management\ncontrol processes to take into account the additional information obtained during the earlier\nproject phases and to be commensurate with the additional risk associated with latter project\nphases. Strengthening the project management controls will facilitate decision making and\nmonitoring and help ensure that ASTEP meets the needs of its users within schedule and budget\nrequirements. Table 1 provides a summary of KPMG\xe2\x80\x99s findings and areas in which project\nplanning could be strengthened.\nTable 1: Summary of Findings\n  Element of           Description                                                     Assessment\n    Project\n   Planning                                            Summary of Status                       Areas That Could Be Strengthened\n\nBusiness Needs     To justify how the        \xe2\x80\xa2 Business case analysis was              \xe2\x80\xa2 Cost and benefit estimates for the ASTEP\n                   project will meet             performed.                                solution should fully describe how estimates are\n                   needs.                    \xe2\x80\xa2   Benefits and process                      derived.\n                                                 improvements were identified.\nDescription,       To provide an             \xe2\x80\xa2   Adequate descriptions were            \xe2\x80\xa2 Not applicable.\nGoals, and         understanding of              provided.\nObjectives         the program nature        \xe2\x80\xa2   Goals and objectives for various\n                   of the project.               project teams/functions were\n                                                 identified.\nOrganization,      The organization,         \xe2\x80\xa2   Project team members were             \xe2\x80\xa2 Roles and responsibilities addressing inter-\nRoles, and         staff, roles, and             identified.                               relationships and integration of responsibilities\nResponsibilities   responsibilities          \xe2\x80\xa2   Roles and responsibilities were           across charters should be defined.\n                   involved in project           fully defined for executive sponsor\n                   development.                  and project manager only.\nWork               The supporting            \xe2\x80\xa2   ASTEP governance handbook             \xe2\x80\xa2 In the WBS, relationships between major\nBreakdown          detail to plan,               requires a WBS.                           activities, tasks, and deliverables should be\nStructure (WBS)    organize, and             \xe2\x80\xa2   Work products were defined as             defined with supporting detail to plan, organize,\n                   control work                  deliverables.                             and control work performed.\n                   performed.\nProject Schedule   The task, duration,       \xe2\x80\xa2 ASTEP governance handbook               \xe2\x80\xa2 A project schedule should be established that is\n                   resource                      provides guidance on developing a         accurate, complete, and at a level of detail\n                   availability,                 project schedule.                         sufficient for project management.\n                   milestones, and                                                     \xe2\x80\xa2   Tasks/milestones critical to project success need\n                   constraints.                                                            to be identified and highlighted for monitoring\n                                                                                           purposes.\n                                                                                       \xe2\x80\xa2   Staff and capital resource availability should be\n                                                                                           addressed.\nResource/Cost      The resource              \xe2\x80\xa2 The contractor was identifying          \xe2\x80\xa2   Resources should be budgeted based on the\nEstimate           estimate for each             staff resources for each activity.        activities in the WBS and actual costs should be\n                   WBS element by                                                          tracked in relation to the budgets.\n                   resource category                                                   \xe2\x80\xa2   FDIC staff resource requirements, including\n                   (e.g., capital, fiscal,                                                 costs, should be fully defined.\n                   personnel, and                                                      \xe2\x80\xa2   The type of resource should be defined (e.g.,\n                   time).                                                                  capital resources such as office space, supplies,\n                                                                                           information technology (IT) equipment, and\n\n\n\n\n                                                                    I-4\n\x0c  Element of           Description                                                   Assessment\n    Project\n   Planning                                          Summary of Status                       Areas That Could Be Strengthened\n\n                                                                                         other materials for the ASTEP development,\n                                                                                         test, and production environment).\nAcquisition Plan    The processes for      \xe2\x80\xa2 ASTEP Acquisition Strategy was          \xe2\x97\x8f   Not applicable.\n                    acquiring needed           defined.\n                    resources.\nProject Controls    To monitor project     \xe2\x80\xa2 Weekly meetings and bi-weekly           \xe2\x80\xa2 A formal process at the project level should be\n                    scope, schedule,         status reports monitor project              established to evaluate variances and, if needed,\n                    and cost                 progress.                                   to initiate corrective actions to control variances\n                    performance. To            - Contractor was providing bi-            in schedule, cost, scope, resources, and quality.\n                    identify variances            weekly status reports on           \xe2\x80\xa2   A master project plan should be used to monitor\n                    from planned                  schedule and revisions, issues,        and control progress.\n                    objectives. To take           and risks.                         \xe2\x80\xa2   ASTEP-specific contract oversight procedures\n                    corrective actions.    \xe2\x80\xa2 Executive sponsors were briefed             should be formally addressed.\n                                             monthly.                                \xe2\x80\xa2   An overall project performance measurement plan\n                                                                                         should be established.\n                                                                                     \xe2\x80\xa2   Project issue logs should be consistently used to\n                                                                                         assess impact on schedule and budget.\nChange              To manage              \xe2\x80\xa2 Change management process was           \xe2\x80\xa2   The project baseline should be included as a\nManagement          changes in scope,          defined for managing all ASTEP            configuration item subject to change\n                    schedule, outputs          system requirements.                      management control.\n                    and deliverables.      \xe2\x80\xa2   Configuration Control Board\n                                               (CCB) was established to review\n                                               and approve changes proposed.\nRisk                To identify, assess,   \xe2\x80\xa2   Risk Assessment Questionnaire         \xe2\x80\xa2 The risk management plan should be finalized.\nManagement          and manage project         was completed to address              \xe2\x80\xa2 The current risk management process should be\n                    risks.                     likelihood of occurrence                  fully defined in a risk management plan.\n                                               (qualitative).                        \xe2\x80\xa2 Detailed risk mitigation plans should be\n                                           \xe2\x80\xa2   Risk database/log was provided.           developed.\n                                           \xe2\x80\xa2   Risks were reviewed in monthly        \xe2\x80\xa2 Issues in contractor status reports should be\n                                               meetings (high risks are identified       addressed in accordance with FDIC project\n                                               in status reports to executive            management guidelines.\n                                               sponsors).\nCommunications      To detail              \xe2\x80\xa2   Established communication plan        \xe2\x80\xa2 Communication activities for ASTEP Oversight\nManagement          communication              was generally compliant with the          Managers and Technical Monitors should be\n                    initiatives.               PMBOK\xc2\xae Guide.                             clarified.\n                                           \xe2\x80\xa2   Stakeholder information needs\n                                               were defined.\nSource: FDIC Project Management and Governance Guides and ASTEP Project Planning Documentation.\n\n\nRecommendations\nKPMG recommends that, as part of the current project re-baselining efforts, the Division of\nResolutions and Receiverships (DRR), in coordination with the Division of Information\nTechnology (DIT):\n   \xe2\x80\xa2 fully document the costs and benefits of the ASTEP solution selected for development\n        and\n   \xe2\x80\xa2 enhance the ASTEP project planning process to address the areas of improvement\n        discussed in this report to achieve greater compliance with the FDIC Project\n        Management Guide and to provide greater assurance of ASTEP project success.\n\n\n\n\n                                                                  I-5\n\x0cBACKGROUND\n\nOne of the critical functions for the FDIC is to manage and liquidate all assets of failed financial\ninstitutions. The FDIC\xe2\x80\x99s existing asset servicing environment is composed of a complex system\nof external, interim, and internal (in-house) servicing capabilities. The in-house technology\nconsists of aging and highly customized commercial off-the-shelf (COTS) software and\ninternally developed applications that fulfill specific business functions. The FDIC uses 13\nmajor asset servicing systems supported by a number of minor applications, automated utilities,\nand contracted services.\n\nThe purpose of ASTEP is to modernize the asset servicing function at the FDIC and align the\nprocesses performed under this function with industry best practices. ASTEP will allow the\nFDIC to maximize the use of commercially available software products to integrate as much of\nthe asset servicing function as possible. ASTEP will\nalso allow the FDIC to use a variety of vendor-sourcing\noptions. Figure 1 illustrates ASTEP project vision and\nobjectives.                                                        Thought\n                                                                              leader and\n                                                                             visionary for\nThe FDIC established ASTEP on October 7,                                  the banking\n2003, and the FDIC Board of Directors                                      community\n                        3\napproved $31.8 million for ASTEP\ndevelopment. Prior to Board approval of                                 \xc2\x83 Be a seller\nASTEP, a cost-benefit analysis was                              \xc2\x83 Ability to scale to handle\nperformed that considered four options:                           failure of a large institution\n    \xe2\x80\xa2 Status Quo \xe2\x80\x93 No change (this was                        \xc2\x83 Move organization away from\n                                                                         functional silos\n       not considered by DRR as a\n                                                              \xc2\x83 Adopt industry best practices\n       viable option);\n    \xe2\x80\xa2 Enhanced Status Quo \xe2\x80\x93 Enhance\n       National Processing System                \xc2\x83 Single source of data          \xc2\x83 Common user interface/\n              4                                                                     experience\n       (NPS), as the system for                  \xc2\x83 Single reporting platform\n       servicing receivership loans,                                              \xc2\x83 Automated workflows\n       to be compatible with an                  \xc2\x83 Adaptable integration\n                                                   Infrastructure                 \xc2\x83 Enhanced data quality and\n       upgraded operating system;                                                   timeliness\n    \xe2\x80\xa2 NPS Replacement \xe2\x80\x93 Replace\n       NPS with a COTS                            Figure 1: ASTEP Project Vision and Objectives\n       product that is hosted by         Source: ASTEP    Current State Assessment Report, December 7, 2004.\n       a contractor application\n       service provider (ASP); and\n    \xe2\x80\xa2 \xe2\x80\x9cBest of Breed\xe2\x80\x9d \xe2\x80\x93 Replace NPS with a COTS product that is hosted by an ASP. Also,\n       integrate asset servicing business processes applications and databases through the use of\n3\n  The $31.8 million budget for ASTEP development included about $2.9 million as a contingency reserve with an\nestimated project completion date of March 2005. Total budget outlays estimates, including life-cycle maintenance\ncosts, shown in the FDIC\xe2\x80\x99s cost-benefit analysis was $54.7 million over an 8-year period.\n4\n  NPS is a highly customized COTS product that is the major component of asset servicing systems and tracks\nactivity on assets owned by receiverships and the Corporation.\n\n\n\n                                                        I-6\n\x0c         middleware technology5 and data warehousing with data transformation and workflow\n         capabilities to achieve a common source of data and to maximize sharing of updates\n         across the organization.\n\nDRR selected the \xe2\x80\x9cBest of Breed\xe2\x80\x9d solution, which consists of key IT components that will\nfacilitate achieving the following:\n\xe2\x80\xa2        replacement of NPS with an industry standard asset servicing loan accounting system that\n         is hosted by an ASP for managing loan assets acquired from failed banks and financial\n         institutions;\n\xe2\x80\xa2        implementation of middleware technology to integrate applications and databases and\n         standardize data flows between FDIC contract servicers and interim servicers (banks);\n\xe2\x80\xa2        security protocols that will authenticate and facilitate secure data transmission from\n         external data sources and will support single sign-on for users; and\n\xe2\x80\xa2        implementation of a data warehouse to provide a timelier asset data and enterprise portal\n         in handling ASTEP reporting requirements.\n\nThe FDIC\xe2\x80\x99s expectations are that this approach will apply industry\xe2\x80\x99s best practices in\nstreamlining the asset servicing process, which will also involve extensive re-engineering of the\nasset servicing business process cycles related to managing and servicing an asset from\nacquisition by the FDIC to asset disposition.\n\nThe FDIC has contracted with three vendors to (1) provide project management advisory\nsupport, (2) replace NPS with a COTS Loan and Customer Information System managed by an\nASP, and (3) develop the designated requirements and system design for the remaining ASTEP\nsolution, and implement the solution. Key activities performed to date include: replacing NPS\nwith the ASP, Metavante Corporation, in March 2005 (the first significant aspect of the ASTEP\nimplementation); completing a requirements analysis in June 2005; and completing the system\ndesign in August 2005.\n\nOriginally, ASTEP system deployment was to occur by March 2005. However, the project has\nexperienced delays. The project management team indicated that the delays were due to\nunforeseen circumstances that were not under its control, such as delays in obtaining contract\nauthority; procuring the services of the three vendors; acquiring and piloting a new middleware\nsoftware product (Websphere, which incurred a 9-month delay); and changing the procurement\napproach from task assignments to task orders. The project management team also indicated that\nfurther delays occurred because of organizational changes that limited availability of the staff to\nwork with the contractor responsible for performing ASTEP requirements and design activities.\n\nIn September 2005, the ASTEP project management team began updating the cost and benefit\nestimates on the current ASTEP \xe2\x80\x9cBest of Breed\xe2\x80\x9d solution based on detailed information obtained\nfrom performing requirements analysis and design specification activities. The process of\nupdating the estimates is part of the project management team\xe2\x80\x99s efforts to re-baseline the project\nbecause the original deployment goals and objectives are no longer achievable within the\noriginal timeframe. According to ASTEP management officials, their more complete\n5\n Software that increases the flexibility, interoperability, and portability of existing infrastructure by linking or\n\xe2\x80\x9cgluing\xe2\x80\x9d two otherwise separate applications.\n\n                                                            I-7\n\x0cunderstanding of system requirements and design specifications will enable them to more\naccurately determine the costs and benefits of the project. This, in turn, will enable the ASTEP\nproject management team to develop a more accurate, relevant, and reliable revised project plan.\n\nProject Management Principles Applicable to ASTEP\n\nIn September 2004, the FDIC issued its Project Management Governance policy to identify key\ngovernance authorities over projects and to define project management policy and oversight\nstandards applicable to all projects at the FDIC. The policy states that all projects shall conform\nto minimum standards and procedures as defined in the FDIC Project Management Guide also\nissued in September 2004. The guide establishes a project management framework to provide\nproject managers with repeatable and sustainable guidelines to ensure that projects are well\ncoordinated, thoroughly planned, properly executed, and closed out in accordance with managed\nand disciplined processes (see Appendix B).\n\nASTEP Management Structure\n\nThe ASTEP project management team consists of a group of Executive Sponsors from DRR,\nDIT, Division of Administration (DOA), and Division of Finance (DOF); a senior management\nofficial from DRR who serves as the principal executive sponsor; a DRR and DIT Project\nManager; and project core team members from DRR, DIT, and DOF. The DRR Project\nManager\xe2\x80\x99s duties include orchestrating executive sponsor meetings; managing resources;\nresolving business issues; providing oversight; managing one of the ASTEP contractors\n(BearingPoint); and reviewing deliverables, invoices, and task orders. The DIT Project Manager\nis the oversight manager for the Deloitte Consulting LLP contract responsible for reviewing\ndeliverables, invoices, and task orders. The core team members provide various services to\nASTEP related to administration and technical project management oversight, including\nmonitoring the contractor and serving as coordinators with end users and other projects with an\ninterest in ASTEP. Additionally, the ASTEP project management team has established a user\ngroup that will assist in validating business process and data models, developing reports, testing\nthe system as its is developed, and acting as an intermediary with the ASTEP staff to address\nquestions or issues regarding the project.\n\n\n\n\n                                                I-8\n\x0cDETAILED FINDINGS\n\nThe project management team for ASTEP has applied several of the principles promulgated in\nthe FDIC Project Management Guide. During the initiation phase of the project, the ASTEP\nproject management team performed business case analyses to identify benefits and\nimprovements that can be made to the current system, including developing a conceptual model\nfor planning and executing the project; identifying positive and negative impacts of the project\non stakeholders; and developing initial estimates for the return on investment. The ASTEP\nproject management team developed project charters that define the goals, objectives, and\ndescriptions of various project functions to be performed, including the identification of key\nteam members. A risk analysis was completed prior to project commencement to identify issues\nthat could negatively impact the project. At the start of systems development life-cycle\nactivities, the project management team developed a governance structure and a schedule-based\nproject plan that describes various functions to manage ASTEP analysis and design activities.\nDuring that period, the project management team also developed an integrated acquisition\nstrategy, as well as communications, risk management, and configuration plans.\n\nAs ASTEP enters into the execution phase and is re-baselined, the FDIC needs to strengthen its\nproject management control framework through completion of the ASTEP master project plan.\nSpecifically, the FDIC needs to more fully describe the methods used in deriving the costs and\nbenefits associated with the ASTEP solution and improve various elements of project planning to\nachieve greater compliance with the FDIC\xe2\x80\x99s project management guidance and to provide greater\nassurance of ASTEP success. If these issues are not fully addressed, the FDIC may lack\nsufficient information to make informed decisions regarding project development activities that\nmay impact the success of the project. Details of these findings are addressed below.\n\nFinding 1: Cost-Benefit Analysis\n\nCondition:\nThe ASTEP Cost-Benefit Analysis (CBA) generally stated that the ASTEP project management\nteam received information from a variety of sources for use in determining quantifiable costs of\nthe options. The information included (1) 2003 budget estimates and rates that served as the\nbasis for estimating the future cost of operations, maintenance, and new development and\n(2) other cost estimates provided by companies offering services to the FDIC based on either\nhourly rates or costs that were offered on a per-function or per-transaction basis or that were\nbased on formulas such as a percentage of loan volumes or loans processed.\n\nThe CBA report did not link the estimated cost items to their sources and fully describe methods,\nassumptions, and rationales for determining life-cycle costs and benefits for the options\nreviewed. Specifically, for the budget category line items in areas such as new development and\nmaintenance, KPMG noted that cost breakdowns for the options reviewed often did not describe\nhow estimates had been derived. For example, many line items listed the number of FDIC\n\n\n\n\n                                               I-9\n\x0cemployees (full-time equivalents) or contractors needed but did not justify the activities planned\nto be performed or work products to be completed. In other instances, only partial explanations\nwere provided.\n\nSimilarly, KPMG found that estimates for the benefits associated with the \xe2\x80\x9cBest of Breed\xe2\x80\x9d\noption were not fully explained. Moreover, the CBA report indicated material quantifiable\nbenefits realized only for the \xe2\x80\x9cBest of Breed\xe2\x80\x9d option, which was the only option that addressed\nall aspects of the asset servicing business process cycles. The CBA report stated that the\nEnhanced Status Quo and NPS Replacement options addressed only business functionality and\ndid not significantly improve the FDIC\xe2\x80\x99s current or future business environment. Consequently,\nonly the \xe2\x80\x9cBest of Breed\xe2\x80\x9d option, as shown in Table 2, contains a present value of accumulated\nbenefits. In addition, the \xe2\x80\x9cBest of Breed\xe2\x80\x9d option was partially based on vendor-specific\nproducts, such as the use of NFE PeopleSoft Web portal and data warehouse products, and did\nnot include a general requirements review to determine the viability of these specific products to\nASTEP applications. In March 2005, the ASTEP project management team reported that the\nNFE PeopleSoft portal and data warehouse could not interface with ASTEP applications.\nTherefore, additional costs may be incurred in developing an ASTEP portal and data warehouse,\nwhich would negatively impact the CBA.\n\nTable 2: ASTEP CBA \xe2\x80\x93 Return on Investment Study\n                                                                      Options\n                                                               (Amounts in Thousands)\n                                               Status Quo    Enhanced        NPS\n                                                             Status Quo Replacement      Best of Breed\n\nTotal Present Value (PV) Accumulated Benefit $0             $0           $0             $11,965\n\nTotal PV Accumulated New Development Costs $0               $20,383       $20,857       $26,092\nTotal PV of Total Operations and Maintenance\nCosts                                        $25,326        $30,734       $32,177       $28,617\nReturn on Investment                         N/A            -127%         -133%         -67%\nSource: FDIC ASTEP Business Case and Value Analysis Executive Summary, August 15, 2003.\n\nCause:\nThe ASTEP project management team indicated that it did not have sufficient resources or\ninformation to complete a more detailed evaluation that included an in-depth requirements\nanalysis and specifications of work products for the three alternative options reviewed.\n\nThe contractor for ASTEP development has recently developed system requirements and design\nspecifications for the \xe2\x80\x9cBest of Breed\xe2\x80\x9d option chosen as the ASTEP solution. The completion of\nthe system requirements and design will provide the information needed for the ASTEP project\nmanagement team to more accurately estimate the costs and benefits of implementing the \xe2\x80\x9cBest\nof Breed\xe2\x80\x9d option as the project enters the execution phase.\n\nCriteria:\nThere are several criteria related to cost-benefit analysis. The FDIC Capital Investment Policy,\nissued on April 11, 2005, calls for a clear and complete CBA to ensure a well-informed decision\nregarding capital investments such as ASTEP.\n\n                                                  I - 10\n\x0cFDIC Circular 4310.1, Utilizing Cost Benefit Analysis Methodology for the Purchase or\nDevelopment of Capital Assets, dated July 17, 1998, and Office of Management and Budget\n(OMB) Circular No. A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal\nPrograms, state that CBAs should be performed to promote efficient resource allocation through\nwell-informed decision making. The analysis should be explicit about underlying assumptions\nused to arrive at estimates of future benefits and costs. The analysis should include a statement\nof the rationale behind the assumptions and a review of their strengths and weaknesses. Key\ndata and results should be reported to promote independent analysis and review.\n\nEffect:\nA more detailed evaluation of costs and benefits would have provided the team with a more\ncomprehensive CBA and with resource requirements estimates of activities or work products.\nThe initial CBA did not contain sufficient information to fully describe budget category items\xe2\x80\x99\ncosts and benefits for the options that were considered.\n\nBecause the system requirements and design specifications have been developed, it is important\nthat the ASTEP project management team accurately estimate the costs and benefits of the \xe2\x80\x9cBest\nof Breed\xe2\x80\x9d option as the project enters the execution phase. Otherwise, the lack of accurate\nestimates of costs and benefits will hinder management decision making and evaluations of\nproject performance.\n\nRecommendation:\n1. KPMG recommends that DRR, in coordination with DIT, fully document costs and benefits\n   in updating the ASTEP solution through current re-baselining efforts, including addressing\n   key activities associated with specified costs. This analysis should include the lower level of\n   detail available from contractor-developed costs in deriving key system requirements and\n   design specifications that address the ASTEP strategies identified by project sponsors.\n\n\nFinding 2: Improvements in Project Planning\n\nCondition:\nKPMG found that the ASTEP project management team has developed planning documents and\nimplemented various activities that generally complied with the FDIC\xe2\x80\x99s project management\nguidance. However, the project team did not develop a project plan that fully complies with the\nFDIC project-planning template provided in the FDIC Project Management Guide.\nImprovements to various elements of project planning will achieve greater compliance with the\nguide and provide greater assurance of ASTEP success as the project enters the execution phase.\nStrengthening project planning will also facilitate decision making and progress monitoring and\nhelps ensure that ASTEP meets the needs of its users within schedule and budget requirements.\nSpecific areas needing improvements are discussed below.\n\nOrganization Roles and Responsibilities\nThe ASTEP governance handbook states that the ASTEP team and its subteams should define\ntheir respective specific goals and responsibilities in project planning charters. KPMG\xe2\x80\x99s review\nof planning charters found that goals were specifically stated, but roles and responsibilities\naddressing inter-relationships and integration of responsibilities across project charters were not\n\n                                                I - 11\n\x0cdefined. This may impact the effectiveness of activities performed or desired outcomes\ndescribed in project charters for key areas such as ASP conversion, business process\nimprovement, change management, data and reporting, systems and technology, and training.\n\nWork Breakdown Structure\nThe project Work Breakdown Structure does not adequately define and provide sufficient\nsupporting details for relationships between major activities and tasks to plan, organize, and\ncontrol the scope of work performed. For example, the WBS does not contain sufficient detail in\naddressing tasks associated with defining ASTEP business process flows and developing detailed\nsystem requirements and design specifications related to these business process flows.\n\nProject Schedule\nThe master project plan does not accurately capture the estimated and actual project start and end\ndates. Also, the project schedule, as the principal component of the master project work plan, is\nnot accurate and complete. KPMG noted many development activities that were not accurately\nconveyed on the master project plan when compared to the contractor\xe2\x80\x99s schedule, such as the\nstated timelines for developing ASTEP design specifications and performing critical design\nreview activities. KPMG also noted that the master project plan does not contain a deployment\ndate or dates for several systems development activities that are critical to project success, such\nas testing and data conversion; subprojects are inaccurately merged into the master plan; and\nresource availability issues are not addressed.\n\nResource/Cost Estimate\nThe ASTEP project management team has not developed a cost allocation plan to show the\nbreakdown of the $31.8 million budget approved by the FDIC Board of Directors for ASTEP.\nWithout a plan that shows a breakdown of costs for performing systems development activities,\nthe ability of the project management team to manage and control resources for future project\nactivities may be impaired. Further, internal FDIC staff resource requirements, including costs,\nhave not been defined, and resource allocations for project tasks are focused on personnel\nresources only and do not address other type of resources, such as office space, supplies, IT\nequipment, and other materials for ASTEP development, testing, and production environments.\n\nProject Controls\nThe project management team has not established a formal process to evaluate variances and, if\nneeded, initiate corrective actions to control variances in schedule, cost, scope, resources, and\nquality. Beyond status meetings and biweekly status reports, there are no specific formal\nprocesses to provide updates to the project plan and no formal controls to assess variances.\nAdditionally, the process for ASTEP oversight and technical monitors to assess contractor\nperformance activities has not been formally defined.\n\nAnother area of concern is that a master project performance measurement plan has not been\nformalized to identify both qualitative and quantitative measures. Such measures determine\nwhether the execution of project activities is producing the desired effects in assessing project\nsuccess. The plan would align these measures with critical success factors defined at the onset of\nthe project, such as managing assets with external contractors; leveraging NFE technology;\nhaving an in-house asset servicing capability; establishing the ability for users to access and view\n\n\n                                                I - 12\n\x0casset data on both externally and internally managed assets; accommodating changes in FDIC\nbusiness processes; and applying an effective and highly efficient systems integration solution\nbetween disparate data and applications.\n\nThe ASTEP project management team addresses these issues in a limited manner through\ncontractor status reports and user survey questionnaires taken upon completion of major\nmilestones. Also, the project management team tasked its systems development contractor to\ndefine four high-level performance metrics related to cost, schedule, \xe2\x80\x9cgoodness\xe2\x80\x9d of requirements,\nand \xe2\x80\x9cgoodness\xe2\x80\x9d of design. However, these efforts do not fully represent a formal master project\nperformance measurement plan that is linked to critical success factors and includes specific\nmethodologies to calculate and evaluate the results.\n\nChange Management\nThe project management team has developed a configuration management plan and a change\ncontrol process. The plan describes the infrastructure and processes used to manage and control\nchanges to ASTEP deliverables and other important project-related work products. The plan\naddresses the initial needs of ASTEP, which include the startup of a CCB and change\nmanagement processes for managing all ASTEP system requirements, including changes, and\nassuring that the results conform to requirements.\n\nHowever, the project baseline plan is not included as an item subject to change management\ncontrol. Establishing a baseline for the project plan under a change management process would\nprovide the ASTEP project management team more effective control over the project if it\ndiverges from the plan. If a corrective action requires a change to the project baseline, the action\nshould be submitted to and reviewed through the change management process that includes CCB\napproval. Such a process is used to establish, analyze, communicate, and record approved\nchanges to the project baseline.\n\nRisk Management\nThe current risk management process is not fully defined in the risk management plan, and\ndetailed risk mitigation plans prescribed in the plan have not been developed. Additionally,\nissues and risks in contractor activity reports and deliverables were often not addressed in\nASTEP project management risk and issue logs or reports. For example, in reviewing a status\nreport issued on July 15, 2005, KPMG noted that risk issues related to poor scope definition,\ntimely access to staff and third-party vendors, and integration with ASP and other COTS\ntechnologies had not been addressed in formal project management risk logs. Therefore, KPMG\ncould not determine the status of these issues and risk areas. The ASTEP project management\nteam started using issue logs in July 2005, but the logs do not assess impact on schedule and\nbudget in accordance with FDIC project management guidelines.\n\nCommunications Plan\nOn November 5, 2004, the ASTEP project management team issued a communications plan that\naddressed, by stakeholder, the communications and events planned in order to successfully\nimplement ASTEP. However, an ASTEP risk assessment summary report indicated that there is\na lack of defined communication responsibilities for ASTEP Oversight Managers (OMs) and\nTechnical Monitors (TMs). These responsibilities, as required by the FDIC Acquisition Policy\n\n\n                                                I - 13\n\x0cManual,6 would include specific guidelines on communicating with the contractor on the\nperformance of key requirements development activities, including modifications to\nrequirements; communicating with the FDIC Contracting Officer in the development and\nimplementation of an oversight monitoring plan to assist in the performance of oversight\nactivities for complex services contracts; and communicating with TMs in delegating\nperformance monitoring responsibilities. Communication responsibilities of OMs and TMs need\nto be clearly defined because the level of contractor activity is expected to increase as ASTEP\nenters into the execution phase.\n\nCause:\nAccording to the ASTEP project management team, initial project plan development and\nmaintenance has not been emphasized. Instead, the team placed reliance on contractor task\norders and planning schedules to manage the project, which do not take into account overall\nASTEP project performance and management responsibilities. Additionally, to define a project\nscope or WBS in managing and controlling specific project activities, the project management\nteam stressed that it needed the finalized requirements analysis and completed detail designs.\nThe project management team advised us that the WBS will be refined as the project progresses\nthrough system development activities.\n\nCriteria:\nThe FDIC Project Governance Guide states that all FDIC projects are required to complete and\nfollow all aspects of the FDIC project management methodology described in the guide. This\nincludes elements of project planning in documenting project scope, tasks, schedules, allocation\nof resources, performance measurements, and inter-relationships with other projects. The project\nplanning activities should cover the full spectrum of a project \xe2\x80\x93 from procurement and contract\nmanagement to team and project performance management; from risk management to\ncommunications management; and from controlling scope \xe2\x80\x9ccreep\xe2\x80\x9d to ensuring quality control.\nAdditionally, the FDIC Project Management Guide emphasizes the creation and use of WBS and\nperformance measures for project planning. The WBS is the driver for project schedule and\nproject budget (e.g., resources, material, equipments, and contractors). The guide states that,\nupon completion of the initiation phase, a WBS should be developed to plan, organize, and\ncontrol work performed in managing FDIC projects.\n\nPerformance measures determine whether the execution of the tasks is producing the desired\neffects. Performance measures should be developed for lagging indicators of a project\xe2\x80\x99s past\nsuccess or failure (such as the percentage of the budget spent or the percentage of deliverables\nsubmitted on time). Project managers should also develop leading (predictive) measures that\nprompt or support project execution decisions and can positively influence future success.\n\nEffect:\nWithout effective management control and visibility into the activities occurring in ASTEP, the\nproject management team may lack sufficient detail to ensure that the project is successfully\nexecuted and managed and that its status is communicated to stakeholders in a timely fashion.\nFurther, the development of comprehensive project planning documents is needed for the project\n6\n    FDIC Acquisition Policy Manual, Revision 3, May 31, 2004.\n\n\n\n                                                       I - 14\n\x0cmanagement team to make informed decisions in moving forward with project system\ndevelopment and deployment activities.\n\nRecommendation:\n2. As part of the current project re-baselining effort, KPMG recommends that DRR, in\n   coordination with DIT, enhance the ASTEP planning process by addressing areas needing\n   improvement, as discussed in this report, to achieve greater compliance with the FDIC Project\n   Management Guide and to provide greater assurance of ASTEP success, including:\n\n   \xe2\x80\xa2   Defining inter-relationships and integration of responsibilities across project charters.\n   \xe2\x80\xa2   Defining the contractor oversight process in relation to ASTEP OM and TM roles,\n       responsibilities, and communication activities.\n   \xe2\x80\xa2   Developing an accurate and complete master project plan baseline, under configuration\n       management control, that defines all major ASTEP activities, including integrating\n       contractor subteam plans into the master project plan; defines project and performance\n       measures to measure project success; identifies the scope of work for major activities\n       defined in the plan through a WBS; and discloses fully the cost estimates for all resource\n       categories.\n   \xe2\x80\xa2   Establishing formal project controls to evaluate variances and, if needed, to initiate\n       corrective actions for schedule, cost, scope, and quality variances.\n   \xe2\x80\xa2   Updating and clarifying current risk assessment procedures and practices in the ASTEP\n       risk management plan and finalizing the plan.\n   \xe2\x80\xa2   Developing risk mitigation plans for high priority-risks as required by the ASTEP risk\n       management plan and ensuring that issues and risks are addressed in either the risk or the\n       issue logs in accordance with the FDIC\xe2\x80\x99s project management guidelines.\n\n\n\n\n                                               I - 15\n\x0c              APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\n\nThe objective of the audit was to determine whether the FDIC has established an adequate\ncontrol framework for ensuring the delivery of ASTEP in a timely and cost-effective manner to\nmeet corporate requirements and user needs. KPMG conducted its audit work in Washington,\nD.C., and Dallas, Texas, from March 11, 2005 through July 29, 2005 in accordance with\ngenerally accepted government auditing standards.\n\nScope\n\nThe scope of coverage focused on evaluating the adequacy and effectiveness of key project\nmanagement planning activities, which included the following:\n\n\xe2\x80\xa2   Business needs, project goals, and objectives are well defined.\n\xe2\x80\xa2   The project team structure is defined, and roles and responsibilities are documented.\n\xe2\x80\xa2   The plan is developed in sufficient detail, including work products and tasks, resources\n    assigned, milestones, and constraints.\n\xe2\x80\xa2   Resource and cost budgeting is established for the WBS.\n\xe2\x80\xa2   An acquisition plan defines processes for acquiring and managing resource requirements to\n    ensure resource availabilities.\n\xe2\x80\xa2   Project control processes are implemented to monitor project scope, and measurements are in\n    place for comparing actual work product and task attributes, effort, cost, and schedule to the\n    plan at prescribed milestones or control levels within the project schedule or WBS. This\n    includes determining whether controls enable timely corrective action to be taken when\n    performance deviates significantly from the plan.\n\xe2\x80\xa2   Change control management is in place to manage changes in scope, schedule, outputs, and\n    deliverables.\n\xe2\x80\xa2   The risk management process is documented and applied in identifying, assessing, and\n    efficiently managing project risks.\n\xe2\x80\xa2   A communications management plan identifies information recipients, their needs, and\n    detailed communication methods and frequencies.\n\nMethodology\n\nKPMG evaluated the project management control framework for ASTEP according to the\nFDIC\xe2\x80\x99s Project Management Governance policy and the FDIC Project Management Guide,\nwhich defines the FDIC\xe2\x80\x99s project management methodology that all FDIC projects are required\nto implement. The FDIC\xe2\x80\x99s guide is based on the PMBOK\xc2\xae Guide, which is recognized as a\ncommercial and public sector \xe2\x80\x9cbest practice.\xe2\x80\x9d\n\n\n\n\n                                                I - 16\n\x0c                                                                                  APPENDIX A\n\nIn assessing compliance with the FDIC Project Management Guide, KPMG performed the\nfollowing:\n\xe2\x80\xa2 Conducted interviews with DRR and DIT officials who are responsible for managing and\n    implementing ASTEP to ascertain their understanding of the FDIC\xe2\x80\x99s project management\n    methodology.\n\xe2\x80\xa2 Conducted interviews with ASTEP stakeholders from DRR, DIT, and DOF in Washington,\n    D.C., and Dallas, Texas, to determine their understanding of their roles and responsibilities\n    and degree of involvement in system development activities.\n\xe2\x80\xa2 Conducted interviews with contractor management officials tasked to develop the ASTEP\n    system to ascertain project management requirements established in accordance with the\n    direction of the ASTEP project management team.\n\xe2\x80\xa2 Conducted interviews with contractor management officials responsible for providing project\n    management advisory support to the ASTEP project management team to ascertain the\n    support provided and the officials\xe2\x80\x99 understanding of the project management control\n    framework for ASTEP.\n\xe2\x80\xa2 Reviewed key system development documents in obtaining background information on\n    ASTEP.\n\xe2\x80\xa2 Identified applicable FDIC policies and procedures related to project management.\n\xe2\x80\xa2 Obtained and reviewed project documents relevant to project management procedures and\n    activities.\n\xe2\x80\xa2 Reviewed contract deliverables related to ASTEP systems development and advisory support\n    provided to the ASTEP project management team.\n\xe2\x80\xa2 Obtained and reviewed ASTEP contractors\xe2\x80\x99 task orders and requests for proposals.\n\n\n\n\n                                               I - 17\n\x0c                  APPENDIX B: FDIC PROJECT MANAGEMENT FRAMEWORK\n\nIn September 2004, the FDIC issued its Project Management Governance policy to promote\nmore effective management control in reducing project, business, and technical risks. The policy\nidentifies key governance authorities over projects and defines project management policy and\noversight standards applicable to all projects at the FDIC. This includes adhering to minimum\nstandards and procedures as defined in the FDIC Project Management Guide, which was also\nissued in September 2004. The guide is based on the PMBOK\xc2\xae Guide, which is recognized as a\ncommercial and public sector \xe2\x80\x9cbest practice.\xe2\x80\x9d\n\nThe FDIC Project Management Guide provides the FDIC with a project management\nframework. As shown in Figure 2, the framework consists of five phases in a project\xe2\x80\x99s life cycle.\nEach project phase normally includes a set of defined deliverables designed to establish the\ndesired level of management control. Completing each phase provides the project managers with\nthe knowledge, tools, and expertise to be successful in subsequent phases. The guide provides\nproject managers with repeatable and sustainable guidelines to ensure that projects are well\ncoordinated, thoroughly planned, properly executed, and closed out in accordance with managed\nand disciplined processes. Specific management control objectives and supporting processes\nassociated with each phase are described in Figure 2.\n\nFigure 2: FDIC Project Management Life Cycle\n\n    Initiation                  Planning                 Monitoring and Control              Close Out\n\n    \xe2\x80\xa2Project Analysis        \xe2\x80\xa2Scope Definition                                            \xe2\x80\xa2Assess Project\n    \xe2\x80\xa2Screen and              \xe2\x80\xa2Baseline Planning                                            Performance\n                                                     \xe2\x80\xa2Monitor          \xe2\x80\xa2Execute Project\n                                                      Critical                            \xe2\x80\xa2Closeout\n     Approve                 \xe2\x80\xa2Create Plan                              \xe2\x80\xa2Manage Project\n                                                      Indicators                          \xe2\x80\xa2Archive Project\n    \xe2\x80\xa2Allocate Support        \xe2\x80\xa2Project                                  \xe2\x80\xa2Report Project\n                              Governances                                                  Information\n    \xe2\x80\xa2Establish Project                                                  Performances\n                              Standard\n\n\nSource: FDIC Project Management Guide, September 2004.\n\n\nInitiation Phase (Phase 1): This phase ensures that managers and leaders associated with the\nproject understand the complexities and intent of a project before considerable effort is\nundertaken to develop and execute it. In this phase, a decision is made on whether to implement\na project based on a CBA of alternatives reviewed by the FDIC\xe2\x80\x99s senior management leadership.\n\nPlanning Phase (Phase 2): In this phase, the project plan is developed in sufficient detail to\nallow the project to be successfully executed and managed and its status communicated to\nstakeholders in a timely fashion. Sufficient detail includes estimating attributes of the work\nproducts and tasks associated with the systems development efforts, determining the resources\nneeded, negotiating commitments, producing a schedule, and identifying and analyzing project\nrisks.\n\n\n\n\n                                                              I - 18\n\x0c                                                                                    APPENDIX B\n\nMonitoring and Control Phase (Phases 3 and 4): During these two phases, the project\nmanagement team analyzes project reports, responds to changes to enable the project to remain\nsuccessful, and creates a means for timely and candid communications with senior leadership\nand stakeholders to improve performance and efficiency. Specific activities would include\ncomparing actual work product and task attributes, effort, cost, and schedule to the plan at\nprescribed milestones or control levels within the project schedule or WBS. The project\nmanagement team would also determine whether appropriate visibility enables timely corrective\naction to be taken when performance deviates significantly from the plan. The Monitoring and\nControl phase runs throughout the project\xe2\x80\x99s life cycle.\n\nClose Out Phase (Phase 5): This phase allows the FDIC to learn from each project experience\nand ensures that each project has successfully fulfilled its fiscal obligations and accomplished its\noriginal intent. In this phase, the project reaches one of three natural conclusions:\n\xe2\x80\xa2 Completion. The project manager or the FDIC senior leadership concludes the project\n    because it either has accomplished its objectives or is not likely to do so with the remaining\n    resources and time available.\n\xe2\x80\xa2 Continuation. The project manager or the FDIC senior leadership determines that the project\n    should continue, either in its current form or in a modified form that stresses or tests another\n    aspect of the project.\n\xe2\x80\xa2 Operationalization. If the results of the project warrant the modification of the\n    organization\xe2\x80\x99s business processes or procedures, the project is incorporated into the\n    organization\xe2\x80\x99s normal business routine.\n\n\n\n\n                                                I - 19\n\x0c                                 APPENDIX C: PMBOK\xc2\xae GUIDE OVERVIEW\n\nThe PMI has conducted extensive research and analysis in the field of project management and\nhas published a standards guide referred to as the PMBOK\xc2\xae Guide. The PMBOK\xc2\xae Guide\ndocuments proven practices, tools, and techniques that have become generally accepted in the\nfield of project management, including information systems development and implementation.\nThe guide identifies project management life-cycle processes that the FDIC has applied in its\nproject management methodology as well as nine distinct knowledge areas, applied in varying\ndegrees that are associated with successful project management. Table 3 shows the relationship\nof the knowledge areas to the project management processes for which the knowledge areas are\nprincipally applied as key elements of the project planning and controlling processes.\n\nTable 3: Mapping of PMBOK\xc2\xae Guide Knowledge Areas to Management Processes\n                PMLC*\n                          Initiation               Planning                   Executing               Controlling                Closing\nKnowledge Area\nProject Integration                        \xe2\x80\xa2   Project Plan             \xe2\x80\xa2   Project Plan        \xe2\x80\xa2   Integrated Change\nManagement                                     Development                  Execution               Control\nScope Management          \xe2\x80\xa2   Initiation   \xe2\x80\xa2   Scope Planning                                   \xe2\x80\xa2   Scope Verification\n                                           \xe2\x80\xa2   Scope Definition                                 \xe2\x80\xa2   Scope Change\n                                                                                                    Control\nTime Management                            \xe2\x80\xa2   Activity Definition                              \xe2\x80\xa2   Schedule Control\n                                           \xe2\x80\xa2   Activity Sequencing\n                                           \xe2\x80\xa2   Activity Duration\n                                               Estimating\n                                           \xe2\x80\xa2   Schedule\n                                               Development\nCost Management                            \xe2\x80\xa2   Resource Planning                                \xe2\x80\xa2   Cost Control\n                                           \xe2\x80\xa2   Cost Estimating\n                                           \xe2\x80\xa2   Cost Budgeting\nQuality Management                         \xe2\x80\xa2   Quality Planning         \xe2\x80\xa2   Quality Assurance   \xe2\x80\xa2   Quality Control\nHuman Resource                             \xe2\x80\xa2   Organizational           \xe2\x80\xa2   Team\nManagement                                     Planning                     Development\n                                           \xe2\x80\xa2   Staff Acquisition\nCommunications                             \xe2\x80\xa2   Communications           \xe2\x80\xa2   Information         \xe2\x80\xa2   Performance           \xe2\x80\xa2   Administrative\nManagement                                     Planning                     Distribution            Reporting                 Closure\nRisk Management                            \xe2\x80\xa2   Risk Management                                  \xe2\x80\xa2   Risk Monitoring and\n                                               Planning                                             Control\n                                           \xe2\x80\xa2   Risk Identification\n                                           \xe2\x80\xa2   Qualitative Risk\n                                               Analysis\n                                           \xe2\x80\xa2   Quantitative Risk\n                                               Analysis\n                                           \xe2\x80\xa2   Risk Response\n                                               Planning\nProject Procurement                        \xe2\x80\xa2   Procurement Planning     \xe2\x80\xa2   Solicitation                                  \xe2\x80\xa2   Contract Closeout\nManagement                                 \xe2\x80\xa2   Solicitation Planning    \xe2\x80\xa2   Source Selection\n                                                                        \xe2\x80\xa2   Contract\n                                                                            Administration\nSource: PMBOK\xc2\xae Guide, 2000.\n* Project Management Life Cycle.\n\n\n\n\n                                                                       I - 20\n\x0c                                                                                    APPENDIX C\n\nThe knowledge areas are described as follows:\n\n\xe2\x80\xa2   Integration Management: The processes that ensure various elements of a project are\n    properly coordinated. It consists of project plan development and execution and integrated\n    change control.\n\xe2\x80\xa2   Scope Management: The processes that ensure a project includes all of the work required,\n    and only the work required, to complete the project successfully. It consists of initiation and\n    scope planning, definition, verification, and change control.\n\xe2\x80\xa2   Time Management: The processes that ensure timely completion of a project. It consists of\n    activity definition, sequencing, and duration estimating as well as schedule development and\n    schedule control.\n\xe2\x80\xa2   Cost Management: The processes that ensure a project is completed within the approved\n    budget. It consists of resource planning and cost estimating, cost budgeting, and cost control.\n\xe2\x80\xa2   Quality Management: The processes that ensure a project will satisfy the needs for which it\n    was undertaken. It consists of quality planning, assurance, and control.\n\xe2\x80\xa2   Human Resource Management: The processes that make the most effective use of the people\n    involved within a project. It consists of organizational planning, staff acquisition, and team\n    development.\n\xe2\x80\xa2   Communications Management: The processes that ensure timely and appropriate generation,\n    collection, dissemination, storage, and ultimate disposition of project information. It consists\n    of communications planning, information distribution, performance reporting, and\n    administrative closure.\n\xe2\x80\xa2   Risk Management: The processes concerned with identifying, analyzing, and responding to\n    project risk. It consists of risk management planning, risk identification, qualitative and\n    quantitative risk analysis, risk response planning, and risk monitoring and control.\n\xe2\x80\xa2   Procurement management: The processes related to acquiring goods and services from\n    outside the organization. It consists of procurement and solicitation planning, solicitation,\n    source selection, contract administration, and contract closeout.\n\n\n\n\n                                                I - 21\n\x0c                   APPENDIX D: ACRONYMS\n\n\n    Acronyms                              Definition\nASP            Application Service Provider\nASTEP          Asset Servicing Technology Enhancement Project\nCBA            Cost-Benefit Analysis\nCCB            Configuration Control Board\nCIO            Chief Information Officer\nCIRC           Capital Investment Review Committee\nCOTS           Commercial Off-the-Shelf\nDIT            Division of Information Technology\nDOA            Division of Administration\nDOF            Division of Finance\nDRR            Division of Resolutions and Receiverships\nFDIC           Federal Deposit Insurance Corporation\nIT             Information Technology\nKPMG           KPMG LLP\nNPS            National Processing System\nOIG            Office of Inspector General\nOM             Oversight Manager\nOMB            Office of Management and Budget\nPMBOK\xc2\xae         Project Management Body of Knowledge\nPMI            Project Management Institute\nPV             Present Value\nTM             Technical Monitor\nWBS            Work Breakdown Structure\n\n\n\n\n                                I - 22\n\x0c                Part II\n\n\nCorporation Comments and OIG Evaluation\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nThe report contains two recommendations for the Director, DRR. The Director, DRR, provided\na written response to the draft report on November 30, 2005. Management\xe2\x80\x99s response is\npresented, in its entirety, beginning on page II-4. DRR management concurred with the\nrecommendations, which we consider resolved, but they will remain open for reporting purposes\nuntil we have determined that agreed-to corrective actions have been completed and are\neffective. In addition to addressing the recommendations, the Director, DRR, also commented\non the content of the report. Based on the Director\xe2\x80\x99s comments, we made changes to the report\ncontent as deemed appropriate. DRR\xe2\x80\x99s response to the recommendations is summarized below,\nalong with our evaluation of the response.\n\nRecommendation 1: KPMG recommends that DRR, in coordination with DIT, fully document\ncosts and benefits in updating the ASTEP solution through current re-baselining efforts,\nincluding addressing key activities associated with specified costs. This analysis should include\nthe lower level of detail available from contractor-developed costs in deriving key system\nrequirements and design specifications that address the ASTEP strategies identified by project\nsponsors.\n\nDRR Response: DRR concurs with the recommendation. According to established CIRC\nprocedures, if cost estimates remain within the approved investment budget, a formal document\nupdating the original cost-benefit analysis is not required. The ASTEP project management team\nre-evaluated ASTEP costs, resulting in revised cost estimates within the approved investment\nbudget. The ASTEP project management team is in the process of obtaining concurrence from\nthe Finance Analysis Committee, the Chief Financial Officer, and CIRC, which is expected no\nlater than February 28, 2006.\n\nOIG Evaluation of Response: DRR\xe2\x80\x99s response adequately addresses our concern that cost\nestimates needed to be updated to reflect system requirements and design specifications that\nwere not known at the time the initial CBA was done. However, the response did not address\nwhether benefits of the \xe2\x80\x9cBest of Breed\xe2\x80\x9d option had been updated to take into consideration this\nadditional information. We discussed this issue further with DRR management after receiving\nits response. DRR management indicated that the original investment budget of $31.8 million\nwill cover all of the functional requirements associated with the benefits identified in the initial\nCBA. Based on management\xe2\x80\x99s written response and subsequent clarification, we consider the\nrecommendation resolved. Nevertheless, as required by the FDIC Capital Investment Policy, we\nadvise DRR to prioritize the requirements based on the associated benefits, such as those\nidentified in the initial CBA. Doing so will assist DRR in determining which requirements could\nbe deferred or eliminated in the event that certain costs were underestimated. The\nrecommendation will remain open until we have determined that agreed-to corrective action has\nbeen completed and is effective.\n\nRecommendation 2: As part of the current project re-baselining effort, KPMG recommends\nthat DRR, in coordination with DIT, enhance the ASTEP project planning process by addressing\nareas needing improvement, as discussed in this report, to achieve greater compliance with the\nFDIC Project Management Guide and to provide greater assurance of ASTEP project success,\nincluding:\n\n                                                II-1\n\x0c   \xe2\x80\xa2   Defining inter-relationships and integration of responsibilities across project charters.\n   \xe2\x80\xa2   Defining the contractor oversight process in relation to ASTEP OM and TM roles,\n       responsibilities, and communication activities.\n   \xe2\x80\xa2   Developing an accurate and complete master project plan baseline, under configuration\n       management control, that defines all major ASTEP project activities, including\n       integrating contractor subteam plans into the master project plan; defines project and\n       performance measures to measure project success; identifies the scope of work for major\n       activities defined in the plan through a WBS; and fully discloses cost estimates for all\n       resource categories.\n   \xe2\x80\xa2   Establishing formal project controls to evaluate variances and, if needed, to initiate\n       corrective actions for schedule, cost, scope, and quality variances.\n   \xe2\x80\xa2   Updating and clarifying current risk assessment procedures and practices in the ASTEP\n       risk management plan and finalizing the plan.\n   \xe2\x80\xa2   Developing risk mitigation plans for high-priority risks as required by the ASTEP risk\n       management plan and ensuring that issues and risks are addressed in either the risk or the\n       issue logs in accordance with the FDIC\xe2\x80\x99s project management guidelines.\n\nDRR\xe2\x80\x99s Response:\n\n   \xe2\x80\xa2   Defining inter-relationships and integration of responsibilities across project\n       charters.\n\nDRR agrees with this element of recommendation 2. The ASTEP team is currently reviewing\nthe team charter and will update it as deemed necessary.\n\n   \xe2\x80\xa2   Defining the contractor oversight process in relation to ASTEP OM and TM roles,\n       responsibilities, and communication activities.\n\nDRR agrees. The ASTEP team will add a statement to the Communications Plan, which\nacknowledges that OM and TM roles are defined and governed by the Acquisition Policy\nManual.\n\n   \xe2\x80\xa2   Developing an accurate and complete master project plan baseline, under\n       configuration management control, that defines all major ASTEP project activities,\n       including integrating contractor subteam plans into the master project plan; defines\n       project and performance measures to measure project success; identifies the scope\n       of work for major activities defined in the plan through a WBS; and fully discloses\n       cost estimates for all resource categories.\n\nDRR agrees. The ASTEP team is committed to developing an accurate and complete master\nproject plan that is baselined under configuration management control, that is, a plan that\nidentifies the scope of work for major activities defined in the plan through a WBS. The ASTEP\nproject management team will have cost estimates for resource categories at the task-order level\nfor contractor resources. Project measures indicate whether the project is being executed\nsuccessfully, namely whether it is on time, on budget, and within scope. The ASTEP team uses\nthe required CIRC reporting process to assess these project measures and reports to the CIRC\nand the ASTEP Executive Sponsors quarterly. In addition, a bi-weekly scorecard is prepared and\n\n                                               II-2\n\x0creviewed with FDIC senior management. Performance measures to assess whether the execution\nof the tasks is producing the desired effect will be monitored under a separate plan.\n\n   \xe2\x80\xa2   Establishing formal project controls to evaluate variances and, if needed, to initiate\n       corrective actions for schedule, cost, scope, and quality variances.\n\nDRR agrees. The schedule will be monitored monthly by the ASTEP project management team,\nusing the Master Project Plan for scheduled starts, finishes, milestones, critical path, and percent\ncomplete. As discussed earlier, the cost component of the Master Project Plan will be monitored\nsubject to FDIC system limitations. The Change Control will continue to monitor the scope\ncomponent of this element.\n\n   \xe2\x80\xa2   Updating and clarifying current risk assessment procedures and practices in the\n       ASTEP risk management plan and finalizing the plan.\n\nDRR agrees. The ASTEP project management team will finalize the Risk Management Plan to\ninclude the ASTEP team's current risk assessment procedures.\n\n   \xe2\x80\xa2   Developing risk mitigation plans for high-priority risks as required by the ASTEP\n       risk management plan and ensuring that issues and risks are addressed in either the\n       risk or the issue logs in accordance with the FDIC\xe2\x80\x99s project management guidelines.\n\nDRR agrees. Rather than using the high-level templates in the FDIC Project Management\nGuide, the ASTEP project management team is using the more detailed templates provided by\nthe FDIC\xe2\x80\x99s Office of Enterprise Risk Management. The team is reviewing the ASTEP Risk Log\nand Risk Management Plan to ensure that high-priority risks are identified with specific\nmitigation plans. Risk mitigation plans will be updated in the Risk Log or Risk Management\nPlan, as appropriate.\n\nOIG Evaluation of Response: The corrective actions described in the response meet the intent\nof the recommendation. We consider the recommendation resolved, but it will remain open until\nwe have determined that agreed-to corrective actions have been completed and are effective.\n\n\n\n\n                                                II-3\n\x0c\x0cII-5\n\x0cII-6\n\x0cII-7\n\x0cII-8\n\x0cII-9\n\x0cII-10\n\x0c                                                 MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n          This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of\n          report issuance.\n\n\n                                                                                                                                                            Open\n              Recommendation                                                                                         Expected       Monetary   Resolved:a     or\n                  Number                        Corrective Action: Taken or Planned/Status                        Completion Date   Benefits   Yes or No    Closedb\n                    1           The ASTEP project management team has re-evaluated the ASTEP costs,\n                                resulting in revised cost estimates within the approved investment budget.\n                                The ASTEP project management team is in the process of obtaining\n                                                                                                                      2/28/06         N/A         Yes        Open\n                                concurrence from the Finance Analysis Committee, the Chief Financial\n                                Officer, and the CIRC.\n                2 (Element 1)   The ASTEP team is reviewing the team charter and will update it as deemed\n                                                                                                                      1/31/06         N/A         Yes        Open\n                                necessary.\n                2 (Element 2)   The ASTEP team will add a statement to the Communications Plan, which\n                                acknowledges that the OM and the TM roles are defined and governed by the             1/31/06         N/A         Yes        Open\n                                Acquisition Policy Manual.\nII - 11\n\n\n\n\n                2 (Element 3)\n                                The ASTEP project management team is committed to developing an\n                                accurate and complete master project plan that identifies the scope of the\n                                work for major activities defined in the plan through a WBS. The team will\n                                                                                                                      2/28/06         N/A         Yes        Open\n                                have cost estimates for resource categories at the task-order level for\n                                contractor resources. Performance measures to assess whether the execution\n                                of the tasks is producing the desired effect will be monitored under a separate\n                                plan.\n                2 (Element 4)   The schedule will be monitored monthly by the ASTEP project management\n                                team, using the Master Project Plan for scheduled starts, finishes, milestones,\n                                critical path, and percent complete. The cost component will be monitored             2/28/06         N/A         Yes        Open\n                                subject to FDIC system limitations. The Change Control will continue to\n                                monitor the scope component of this element.\n                2 (Element 5)   The ASTEP team will update the Risk Management Plan to include the\n                                                                                                                      3/31/06         N/A         Yes        Open\n                                team\xe2\x80\x99s current risk assessment procedures.\n\x0c                    2 (Element 6)       The ASTEP team will develop high-priority risk mitigation plans using more\n                                        detailed templates provided by the FDIC\xe2\x80\x99s Office of Enterprise Risk\n                                        Management. The team will review the ASTEP Risk Log and Risk\n                                                                                                                           3/31/06                 N/A           Yes          Open\n                                        Management Plan to ensure that high-priority risks are identified with\n                                        specific risk mitigation plans. Risk mitigation plans will be updated in the\n                                        Risk Log or Risk Management Plan, as appropriate.\n          a\n              Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                         (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                         (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                             management provides an amount.\n          b\n              Once the OIG determines that agreed-to-corrective actions have been completed and are effective, the recommendation can be closed.\nII - 12\n\x0c"